diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-09 18:27:05 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-06-12 14:45:46 +0200 |
| commit | 94aefb1932be882fd93f66cf790ceb19ff575c19 (patch) | |
| tree | f76df07e361a532a71d699d3e6c70da783ace91c /libavcodec | |
| parent | be373cb50d3c411366fec7eef2eb3681abe48f96 (diff) | |
| download | ffmpeg-94aefb1932be882fd93f66cf790ceb19ff575c19.tar.gz | |
4xm: do not overread the source buffer in decode_p_block
Check for out of picture macroblocks before calling mcdc.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/4xm.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index a70be14bdf..2554ba9dff 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -370,6 +370,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, log2w, log2h, stride)) < 0) return ret; } else if (code == 3 && f->version < 2) { + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return AVERROR_INVALIDDATA; + } mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 4) { src += f->mv[bytestream2_get_byte(&f->g)]; @@ -379,6 +383,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); } else if (code == 5) { + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return AVERROR_INVALIDDATA; + } mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); } else if (code == 6) { if (log2w) { |